Welcome to the Let's Encrypt Community
I've been following this thread and want to make sure that I understand things clearly. Given that you can add TXT records for
bvginenglish.com, I'm assuming that you control the DNS records/zone for
bvginenglish.com. Is my assumption correct? If so, you should be able to update the DNS zone for
bvginenglish.com to fix its records. Delegating the Let's Encrypt dns-01 challenges won't fix the fact that Google dig fails to look up the IP address (A record) for
bvginenglish.com, which would make
bvginenglish.com appear to be broken for almost anyone who visits the site. This will also cause the email and other aspects of
bvginenglish.com to intermittently fail as well. As @JuergenAuer was mentioning, you cannot simply ignore this problem if you want
bvginenglish.com to actually function. You don't need to control any servers outside of the
bvginenglish.com DNS to fix this. You just need to fix the DNS records for
From Google dig:
not the problem.
It's impossible to find an ip address of the name servers. So it's impossible to check the authoritative name servers if there is a TXT, CAA or A / AAAA record. But checking CAA is always required (http and dns validation), so that's a dead situation.
A name server without an ip address isn't existent and it's impossible to check such a name server.
And that's the reason unboundtest has a loop with the result of an internal timeout. Running my tool the loop was visible (not in the output) - ns1 points to ns2, ns2 points to ns1, but there is no ip address.
- Nameserver - IP-Adresses
You are absolutely correct, @JuergenAuer.
I was just making a plea to ip75 to fix the DNS because by ignoring the actual problem that you've correctly identified, the website itself won't even function (failed A record lookup intermittently).
Here I'm assuming that the DNS issue you've identified is what's causing the A record lookup for
bvginenglish.com to intermittently fail. Is that a correct assumption?
It's an intermittent failure. Try a few times.
About 1 out of 5 failure from my testing.
sorry JuergenAuer but you have a problem with understanding how DNS works and you have a problem with hearing other people.
Correct way to check challenge is :
- request ns records of issued cert domain from default dns server
- directly request txt record _acme-challenge.example.com from dns server retrieved in 1st step
not only I am faced with this problem judging by the google search.
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.